Azure network security groups ”best practices”
I haven't figured out for a long time what I would write about which could be useful to you too, until Tim tweeted related to Azure network security group best practice.
In @Azure, network security group (NSG) priority values can range from 100 to 4096. Best practice is to put lots of space between rules to allow for future additions
I didn't swallow without biting this best practice and when I was tweeting with other people’s I finally got an idea of where to write. Thanks Tim!
Azure network security rules 101
Azure network security groups are used to filter traffic from and to Azure virtual network. Network security group contains security rules which either allow or deny traffic based on rule. In rule you can define allowed or denied traffic at OSI Layer 3 & 4.
Security rules are defined at OSI Layer 3 & 4.
Shorthand it’s “Access Control List”. What this really means? So if don’t open inbound port for service which you are trying to publish nobody can’t connect it.
Excepted resources in vnet or behind load balancer and any region if vnet peering is in-place.
Azure default traffic rules
When you create network security group you will get following set of default inbound rules:
| Rule name | Priority | Source | Source ports | Destination | Destination ports | Protocol | Access |
| AllowVNetInBound | 65000 | VirtualNetwork | 0-65535 | VirtualNetwork | 0-65535 | Any | Allow |
| AllowAzureLoadBalancerInBound | 65001 | AzureLoadBalancer | 0-65535 | 0.0.0.0/0 | 0-65535 | Any | Allow |
| DenyAllInbound | 65500 | 0.0.0.0/0 | 0-65535 | 0.0.0.0/0 | 0-65535 | Any | Deny |
and you will get following set of default outbound rules:
| Rule name | Priority | Source | Source ports | Destination | Destination ports | Protocol | Access |
| AllowVnetOutBound | 65000 | VirtualNetwork | 0-65535 | VirtualNetwork | 0-65535 | Any | Allow |
| AllowInternetOutBound | 65001 | 0.0.0.0/0 | 0-65535 | Internet | 0-65535 | Any | Allow |
| DenyAllOutBound | 65500 | 0.0.0.0/0 | 0-65535 | 0.0.0.0/0 | 0-65535 | Any | Deny |
The VirtualNetwork, Internet and AzureLoadBalancer are service tags.
A service tag represents a group of IP address prefixes from a given Azure service. It helps to minimize complexity of frequent updates on network security rules. Microsoft
Rule Evaluation
Rules are evaluated by priority using the 5-tuple hash.
A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use.
Here is an example of my default rule set
Example of rule set
So if try to connect to my web server IP address 10.10.10.10 with WinRm from IP address 172.16.200.10 I will hit the rule “AllowManagement” and traffic is accepted by NSG. If I try to connect to 10.10.10.10 “which is my web server” to port 443 from IP address 172.16.200.10 traffic will hit the rule “DropAll” and it will be dropped, because I haven’t defined rule for port 443 traffic. I can just add new line to NSG allow it
Allow port 443 to web server
Now I Can connect to “my web server”, but wait…
My friend “Randy” can’t connect to my web server
I haven’t added port 80 for non tls traffic
Should I create new lines for those matters and do I need to drop all web after that? Now we getting to my best practices :D
My Best Practices
KISSB
What I mean this, when you are doing on duty call’s and you have been awake 72hours you need to understand what’s going in these rule set. If you are trying to do some fancy stuff whit network security groups “I want all our employees to connect this server but not Bob and Alice because they have wrong color T-Shirt” then you are doing wrong stuff in wrong place and you end whit messed up rule set. This rule can be used to all basic networking related stuff in Azure.
KISSB stands for ‘keep it simple stupid bastard’, this is my favorite sentence at all times… maybe “VMP!, stupid finish joke”
Don’t use DROP rule
Don’t ever ever ever ever ever ever use DROP rule in your NSG rule set if it’s not last rule what you can define aka. rule number 4096 PERIOD!!!
What happens if added rule number 103 and It’s purpose is to drop port 80 & 443 where traffic is originate from any ip address, and week after I need to give Rand to access 10.10.10.20 web server using HTTP and HTTPS. Well first I need to remove rule 103 and add new rule which accepts traffic from Randy IP address, then I need to add rule number 104 which drops all traffic to port 80 & 443. And week after that I need to Alice to access web server 10.10.10.15, this is the time when I shout out “VMP!” or “I will go and shoot my self”
But hey we have rule number 4096 which is DROP ALL rule so there is no need to define DROP rule for port 80 & 443 traffic.
If you need to add drop rule in between accept rules please referrer rule number 1.
Remember you can use multiple subnets in Azure or even multiple virtual networks, if you try to do proper network segmentation.
Assign network security groups to subnet level
Don’t add NSG to network interface or don’t use NSG with multiple subnets.
Use minimal set of rules
You can add multiple source addresses, source ports, destination address, destination ports to single rule. You could even use ANY protocol, but I like when we have only protocol in rule.
This how Randy can access my web server, I just added Randy’s ip address to rule number 102
And I have enabled also port 80 traffic for HTTP on rule 102
And yes all other traffic to ports 80 & 443 are dropped by the rule number 4096
Rule Naming and documentation
Use some kind naming convention with rule names and add description what rule suppose to do, even one sentence, please.
Use automation
You can use ARM templates/Ansible/Terraform/PowerShell/Azure Cli…. to provision network security groups & and rules. Just do it.
Because it’s much faster way to deploy, modify, audit rules then clicking trough Azure portal.
Add automation template/scripts to version control
Thanks for reading and this is finally true